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1. Executive Summary 

The Global Research and Analysis Team (GReAT) at Kaspersky Lab has discovered new malware 
attacks in Syria, with malicious entities using a plethora of methods from their toolbox to hide 
and operate malware. In addition to proficient social engineering tricks, victims are often tempted 
to open and explore malicious files because of the dire need for privacy and security tools in the 
region. In the hopes of maintaining anonymity and installing the latest "protection", victims fall prey 
to these malicious creations. A vast majority of the samples obtained were found on activist sites 
and in social networking forums. 

The victims are distributed across different countries: 

• Syria 

• Lebanon 

• Turkey 

• Kingdom of Saudi Arabia 

• Egypt 

• Jordan 

• Palestine 

• United Arab Emirates 

• Israel 

• Morocco 

• United States 

The group members are operating from different locations around the world: 

• Syria 

• Russian Federation 

• Lebanon 

The group's attacks are evolving and they are making extensive use of social engineering techniques 
to trick targeted victims into running their malicious files. Among the principal file extensions 
observed among the malware samples obtained we can list: 

• .exe 

• .dll 

• .pif 

• .scr 
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The group is relying on RAT (Remote Access Tool) Trojan tools, of which the most common are: 

• ShadowTech RAT 

• Xtreme RAT 

• NjRAT 

• Bitcomet RAT 

• Dark Comet RAT 

• Blackshades RAT 

The number of malicious files found is 110, with a big increase seen in recent attacks. 
The number of domains linked to the attacks is 20. 
The number of IP addresses linked to the attacks is 47. 

The samples details and domains lists used by the attackers can be found in the Appendices 1 and 2 
in the end of the document. 

Protection and resilience against these attacks is ensured through the use of a multi-layered security 
approach, having up to date security products, and mainly by being sceptical about suspicious files. 
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2. Introduction 

The geopolitical conflicts in the Middle East have deepened in the last few years; Syria is no 
exception. The crisis is taking many forms, and the cyberspace conflict is intensifying as sides try to 
tilt the struggle, by exploiting cyber intelligence and exercising distortion. 

In the last few years cyber-attacks in Syria have moved into the front line; many activities in 
cyberspace have been linked to Syria, especially those conducted by the Syrian Electronic Army and 
pro-government groups. 

The Global Research and Analysis Team (GReAT) at Kaspersky Lab has found new malware attacks 
in Syria, using new but not advanced techniques to hide and operate malware, in addition to using 
proficient social engineering tricks to deliver malware by tricking and tempting victims into opening 
and exploring malicious files. The malware files have been found on hacked activist sites, web pages 
and in social networking forums. 

Cyber Arabs , an Arabic-language digital security project of the IWPR (Institute for War and Peace 
Reporting), reported four of these samples in March 2014. The same samples were also reported 
on Syrian Facebook pages OSlpJ* J^V oj±&, Technicians For Freedom) : https ://www. f acebook. com/ 
tech4freedom 

Given the complexity of the situation, there are many factors and entities at play in this event, but 
from the outside these are all largely speculative. Pro-government groups talk about "defense" and 
opposition activists talk about "offense". Here, we will only focus on the malware and the facts that 
have been found during the analysis, presenting only relevant information, in the hope of setting a 
clear context for this research. 
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3. Analysis 



3.1. Infection Vectors 



Malware writers are using multiple techniques to deliver their files and entice the victims to run them, 
creating an effective infection vector. Mainly depending on social engineering the attackers exploit: 

• Victims' trust in social networking forums 

• Victims' curiosity in following news related to political conflict in Syria 

• Victims' fear of attacks from government 

• Victims' lack of technology awareness 

Once they have infected the victim's computer, attackers have full access and control over victim's 
devices. In the following section we show different versions of posts sent via popular file sharing 
sites or social networking platforms. The sample details and domain lists used by the attackers can 
be found in the Appendices 1 and 2 in the end of the document. 

3.1.1. Skype messages 

Messages sent via Skype offer links to download: 

1. The "SSH VPN" program to encrypt communication 

2. The popular and effective antivirus with daily updates from "Ammazon Internet Security" 

3. The "SmartFirewall" to block connections made by malware and bad programs 

$ Online 



1 1 La. f U 12:08 PM 

; i^J^Loj jj* jtjj^" JLi»tV wjl i^Ujj iillilJ JjfjI^I ij^Li. j^ajHI jajj ^vL.M;] jj ^j^L^il 

SSH VPN vpn jUStf! £-L* -Jj^i^l -1 

https://www.cl ropbox. com/a SH %20VPN . rar 

ijA^ill (jjujLl ^j^i <tjp (^jJf ammazon internet security Ja^l, j^oiij J&^j J Li ^j^i wj j . ^v" —2 
https://www. d ropbox. com/s/ f Am mazon % 2 Q I nter net %20Secur sty. nar 

SmartFirewall gjjj i)-^'-" ^ [ <uiiJI dl^H j b ^: h *j'„ LH -5 Ui fojLJI jl-iaJJ) <jLoa J 

https://www.dropbox.com/sj 'S mart %20 Firewall .rar 

Ljj^JI ijjliJ ijjiULs j-iill ft-JI .jyji 

: uj] I i^a^oS\ 

htt ps://w ww. facebook.com/tech4f reed om 




The messages are usually sent from fake or compromised accounts. 
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3.1.2. Facebook posts 

The same messages sent via Skype are also shared via the Facebook social platform, asking victims 
to install these "security programs" to protect themselves from malware infections and cyber-attacks, 
especially government attacks. 



SSH VFM l+LaSlg vpft JLaJ^JI jJl^ ftnLpj /il Aii-j - 1 

https : 1 I www, d r o pbox .com fsj c4 kwn hGq Of 3y m wf; SSHB2 OV 
PN.rar 

J^aJDOHiJ ^IJlaJtj i^JpJDgjP ^JS-uJU E UjJC-?L-^ JLhJ ^jjUj-^ i^LkJ '- — 2 

6,*jw*JI us^Ul qnj^ spjJI ammazon Internet security 
https : / / www. d ro pbox .com fsj f 9q pi v2 qk4 m L r44 / Am mazori 
#2 01 nt£rnetK2 OSecu rity, rar 
wVUsu-iJI jj& ■ J*?** iSjII (ijjLJ! >Ijc»JI) *vUp- j Up- 

SmartFirewall jlj^VI ^uiljj L^ajt, Gy^JI 

https : / / www . d ro pbox .com /sy 6 5 b n r kSx 4gr 2og 3 /Sma rtfG2 0 

Flrewall.rar 

A^>OI Jp-I 

C ■ r. ■ -i . 1 1 O. ^ n j-i 1 1 

https :/ /www.faceboo k.com /tech4free d om 



SSH VPH-rar 

www.efropbos.ccfln 

Shared with Dropbox 



q^^cJl oI>iUaJI £b- O^UJ^ cjI^UoS pUcuJI W 
^JaJjJJ j^^ jAu^UI^ jjJ^LvJI ^!4mD q^S'jJ'^ 
OJ> Jllktil oil ^3 4AJLuJr S ja±VI oiH> ^ 

' jjJjLoj fti»n j Q^aJJ ^ j In Ai L j 1 1 

SSH W^te vpn OLtfLpii 1 ^liji pijdhwi -1 

htt ps:// www.d ro pbox.co m/s/ 
c4kwnh6qOr3ymwrf/SSH%20VPN.i?r^ ^ J 

J^ 'w flifJ^vS JIa£ o*>jj& > ^T . M —2 

^■W arnmazon internet security 

https://www.dropbox.eom/s/ *{^<JJO 
f9gpiv2qk4rn 1 r44/ CUJOll iM 

Am mazo n %20l nte rn e t%2 OS ec u ri ty. r ar 

SmartFirewall 

htt p s;//www.d ro pbox.co m/ 
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3.1.3. YouTube Videos 

In the following example, we can see a YouTube video providing links to download fake Whatsapp 
and Viber applications for PC. By using everyday technologies that are commonly used by a broad 
audience, attackers increase the effectiveness of their operations and their infection rates. 

Aleppo Country Now - ulM vJb- *Juj shared a link. 
January 26 & 



http:/ /www.youtube.com /watch?v= 




http://ge.tt/ /v/0 

Like • Comment • Share fi 1 
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3.2. Samples and types of files 

Analysis has led us to identify the following RAT variants being used in the wild: 

• ShadowTech RAT 

• Xtreme RAT 

• NjRAT 

• Bitcomet RAT 

• Dark Comet RAT 

• BlackShades RAT 

The samples collected during our research can be classified as follows. 
Old samples 

Samples obtained during 2013 are simple RAT executable files, compressed and sent to victims 
using a wide range of delivery options. Newer samples were typically found to use ".scr" containers 
in order to hide malicious files and avoid early detection by security solutions. 

New samples 

More recent samples, starting from the end of 2013, have shown a more organized development 
effort, creating highly stealth and graphically-enticing applications. 

In this analysis we have seen how Syrian malware has evolved, showing no signs of stopping any 
time soon. Even though new malicious Syrian samples are appearing each day, the subset presented 
here will hopefully give the reader an overall view of the techniques and tools that are currently 
being used to target Syrian citizens. 

3.2.1. The National Security Program 

Curiosity killed the cat: browsing a previously leaked spreadsheet of wanted activists leads to 
infection. 

We found a set of compressed files on a popular social networking site; when, extracted it 
showed a database containing a list of activists and wanted individuals in Syria. A video entitled 

aJl^c ^ibj t«S jLu> f j^xJU 4_^UJ1 jj j±is£l\ s jx^J jl jikj" was published on November 9 2013, and 
the download link for this database application was included in the information section of the video. 
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I \ \ VYTTTTT : ^.La^all J* ^ 

syn'al23!@# 
Password ] 

goli^JI gjaj ^*jJI *iflJ5 iiC 

O^L^jfi I&jjCj jLJ\$ fljilftaJl c^j^j ,ju>-aJI ijSjUl .... iisUl oL^^I 
J^Ino <jJc ^^pjJL *LnLiJI eifi^klL 



^^^^^^^^ 




w _ _ 


► 


H i 4:30: 





The download URL redirected victims to a file-sharing service where the file was being hosted. The 
compressed RAR file <>Vl ^U^.rar", with the MD5 signature 0c711bf29815aecc65016712981 

59a74 and a file-size of 7,921,063 bytes was protected with the password "111222333". 

The video requests the victim to scan the password protected ".rar" file using VirusTotal to verify 
that it is not infected. 

After extracting all the files to a temporary folder, we were presented with the application itself and 
a text file needed to access the "hidden" features of the program. 



3> Barcode-dll 


11/9/2013 707 AM 


Application extension 


11 KB 


Garcode-d river 


11/9/2013 70S AM 


Windows Installer Package 


6 KB 


js, Data Ease 


11/9/20136:25 AM 


Data Base File 


7,116 KB 


_ PASSWORD 


11/9/2013 942 AM 


Text Document 


1 KE 




11/9/201311:53 AM 


Application 


1,975 KB 



The file "PASSWORD.txt file" contained the following text: 
syrial23!@# 
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private void tx±Pass_TeKtC ha nged (object sender,. EventArgs e] 
{ 

if (this.txtPass.Text "syrial23!@#") 
{ 

My P roj ect. Fo rrn s.f rm M a i n . Sh owQ; 
this.HideO; 

} 

} 

Upon closer inspection, the first and last buttons of the application were functional, but the others 
generated error messages (claiming that some files were missing). 

The first button (cU^ f U lM General Global File) uses "data-base.db.exe" (MD5 8fl6efb51fe67961e 
e31c4f36cbelldb), which was placed into "C:\Users\User\AppData\Roaming"and, when executed, 
extracts the Excel spreadsheet file "Data-Base.xslx" (MD5 f0a8al556efbbl06b6297700d4cce61b) 
from the "Data-Base.db" (MD5 95a5c3e91bbb4a3a323433841fbef82a) file in the main folder. 

The last button (^jj-^ *IkO is the exit button. 
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Here is some interesting information worth noting: 

• "is-^J^ t>^ g^-Lw.exe" is not detected as a malicious file. 

• The file "data-Base. db" is detected as a malicious file. 



[MethodImpl[MethodImplQptions.NoOptimization | MethodlmplQptions.NoInlining]] 
private vcicl B u tton 1_C I i c k(c bj ect sender, EventArgs e) 

{ 

int num2; 

try 

{ 

int num3: 
LabelJHHH): 

P roj ectD ata . C I ea rP roj ectErro rQ; 
int nurn = 1; 
Label_0007: 

num3 = 2; 

if [FileSystem.FileLen [Interaction. En viron["appdata M ] +■ @ "\Data-Ba5e.db.exe") == OL) 
{ 

goto Label_QQ41; 

} ' 

Label_0D26: 

nurn3 = 3; 

Fi I eSy stern .Kill (Intera cti on . En vi ron (" a p p d ata "] + @ "\D ata-Base.db. see"]; 
Label_6041: 

P roj ectD ata . C I ea rP roj ectErro rQ; 

num = 1; 
Label_0048: 

num 3 = 6; 

string path = En vi rcnm ent.GetFo I derPath[Environment.SpecialFolder. Application Data] +■ @"\Data-Ba:e.db.exe"; 
Label_QG5C: 
nurn3 = 7; 
if t!File.Exists[path» 

{ 

goto Label_0038; 
} ' 
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The file "data-base. db" is a compressed archive: 

• Product name from the file signature: Projectl 

• Publisher name from the signature: Syrian malware 

• Compilation Timestamp: 2013-11-09 14:47:26 



DdLd-Edie.iJb.™ - WinRAR 



File Commands Tools Favorites Options Help 




1 -alii^ ^ 



Add extract I o 



lest 



View 



Delete 



hnd 



Wizard 



Into 



Jf % 

Virusbcan Comment Protect ihX 



E ^§ D ata-B ase.d b. exe - SFX RAR a rchive, un pa eked: size 8,566,771 bytes 



N am e 

.Data-Base^lsx 
% sm.dll 
■ systems .ece 



Size Pecked Type Modifie 

File folder 

8 T 02fl,0B5 6,890,304 XLSXFile 11/4/20: 

518,014 237,544 Application ceteris... 10/16/21 

2&fill G,bBb Application 1U/1SM 



P -"he comment below coi * 

jctupPData Oasc . m 1 3X 
setup^systenLJ^ . exe 
Silent=l 

Update =U 

Shortcut- 1 j. s ystem32 - i 



When system32.exe is run, the process "iexplorer.exe" is spawned and is automatically registered for 
Startup. The file connects to the IP address 31.9.48.7 TCP on port 999. As mentioned in previous 
reports , the IP address 31.9.48.7 belongs to the Syrian Telecommunications Establishment (STE). 



19Z.lEd,0, 100 
192 r lb&-Q. LOO 



31. 
il. 1. lb 



41, =*.4*. / 




&5 TCP Retransmssionil 49 319 
I TCP Retransinsslopij 4^339 



Cfi i^lJl > gar < 



66 | TCP F.'JZ ■ ■ i Or" I 4-5 3H 

••* ' !' ■"«'■■ iCr* I !yiU 



r^B19Z L fll-O M55-14C& ^^CK-P FRw-L 



scq-0 w1^-3-19Z L 6il-0 v 55-1 j 60 ■ ••:■=■• 



Other temporary files used for the infection were also detected, such as "system32.exe" (MD5: 
9424b355a3670fd7749d3d25cbeal8cb) which was copied into the "C:\Users\user\appdata\ 
local\temp\" folder. 



4.624 K 



B.992K 2184 ktmvA Emptors 



Microsoft Corporation 



Typ« Nana 

Key HKCU\Softw»^^^^^^^^^^^^H 

Key Hr^U\ik^Bfe\Micrra^ 

Key HKCUXSqAwu^hmi 

Key HICUXSofiwaieSaaasas 

Key HKLMVSOFTWAfl E\Wow£432Node\r^s^\Wrt^ . 

Mutant | XSeaiaisM vtiase Named0bjecliMX:_M U T &X-H4^A3SA~| 

Section NSesslonsM \fla« Nanr^Ob^ 

S eel si Mtose Named0t^*\_Cor^^ 

Sect :■■ XBase NamedOtaflect s\_ComCata I ogCache 
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The presence of DarkComet's "DC_MUTEX- *" was a giveaway of the usage of this remote 
administration tool. 

During infection, the Excel spreadsheet is displayed, comprising 96763 rows and 13 columns of 
activist information. The rows correspond to records of individuals wanted by the government and 
the columns correspond to information about the individuals. While there is no column description, 
data in each column reflects the type of data. 



3.2.2. Files named "Scandals" are quite attractive 

Using shockingly disturbing videos to distribute malware 

A disturbing video showing injured victims of recent bombings was used to appeal to people's fear 
and exert them to download a malicious application available in a public file-sharing website. After 
our initial analysis, the file named "^l-^i.exe" proved to be heavily obfuscated with the commercial 
utility "MaxToCode" for .NET as a means of avoiding early detection by antivirus solutions. 



RONGCHAUA.NET 

i/niyinruwnw'Mr 



Tool: .Net Id 



Version: 1.0.0.3 



Description: Identify which protector or obfuscator is applied 



Assembly Source 



Log of acti 



MaxToCode 
.Net Reactor 
Rustemsoft Skater 
Goliath Obfuscator 
PE Compact 
Spices Obfuscator 
Themida 
Dotfuscator 
Xenocode 



1003 
Z% 

z% 

Z% 

z% 
z% 
z% 
:% 



Check Updates 



Send Feedback 



Check It! 



When executed, the original sample created another executable file in the Windows' temporary 
folder (C:\Users\[USERNAME]\AppData\Local\Temp) named "Trojan.exe", which corresponds to 
the code of the RAT itself. This is used to save all keystrokes and system activity to another file in 
the same location, "Trojan.exe.tmp". 
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rDIQmpc.itruserK.dim 

private static extern uinf PMafiVrtualKeyfuint uCode, uint uM&pTypel; 
[DIDrnpc.rtfiiicrJ2.dirjl 

private static extern inl TolMcwleLK(uint WVlrtlCey, uint wScanCode, bvteN IpKeyState, TDut. M : s tal- M'Jr r-sr - g« dTv 3«.LP'.v5tr)l String iJuilrftf pwsifluff, int ccti&irff, l nt kvrinrjs, InlPtr dwttffl; 
private static string VKCod«ToUricMfe(uint VXCodtl 

: 

{ 

^trin^Huilrir-rpwuHuff = r\r-«v toinqRuilrirfQ; 
h .-:■"[; IjiKr^itrs nrw h>*n1 Drift 
rf {ir^Ki-yrwiapd^afcrClpK^yStati-)) 
I 

r«Lim '"■ 

> 

umri^fMtfndr = U.ipViiriialif^'Krnd^flJr 

InPr: fnr-rej round Window = firtFftrrqrnLinrTA'indaivQ; 

ir- IprlwriPrfWMjn = d: 

IrMPtrhrrfwuirdLjiyrMit = (IntPlf) firtlff^tirt&rdl aynii»(fi^t^inrtTi^Th^adn?ftrM^(fnppqraiirieri i flpirrfliv r rrf tfidwPfeirM Jf?}^ 
T-nUnif firif-F^fvKrTndr, w I vran<"^dr p IpKrySiJitr*, pwsrRirtf, \ 0, Ir/yhnjiFrlL ayfiut); 
rrturn p^jFli.rff.Tra'ririnn.Qr 

) 

rrrtrJi (Frffphnn fwr priori 1 
I 

PivjcLLDaLf.VelPiiJjn.tbiiviictLefitiviiljl; 
ti.npL«L:n pjneptkni i= uLepliviiL; 
pujiei-LL 1 altf.Lle ai Mn?jet.ltn urfj; 

3 

i cly i ii ([KieyvJ ([nit) YKLwifcJMitMmigO; 

2 



Captured information is sent to a dynamic domain corresponding to the host "hacarsll.no-ip.biz", 
using local port 1177 with no SSL encryption (but base64 encoded), making the analysis of the 
network traffic a much easier task. During the initial connection to the remote server (after an initial 
ping to check for internet connectivity), the Trojan will send the machine's name, installed Windows 
version, logged username, webcam availability and the version of the RAT in use. 



hullro It I* Si 




LiLicaiii ■LunLe!'" 

I v |" T l^rjsPvkx^ ?nr>£lw-rr4 J ■ | ■ |wtn 7hcn?4vpMr| ' | 1 |L#Rrnl [ ' ] ' ]?mA OS 10| ' | 1 ] | ' | ' | win 7 rntif-pr Ki- kpI *fi4 | p | r \uu\ ' | ' \ 

o-fi Jin - i ri 

fJ?frt-*JH VyAtiS nTf^y b? fhjttM SAF'aVh iLJ i k rjlJr 1 PI ^ r wMnAejTVqyTm Vfltl^'ty.Lyfinli? «iu7WhlO,iwqim i Rc Rfiv^.i'AN 1 xr "iqit I 17wk ySmda Rqk T t *>Tk1 R RftflNDYil LIT Sw 
jAtMTrj"iKrrV^nnfM-NTTf;FsAr.jT-C-Rl^7 ly?XN«VXli-7nruffl-4 ?TCAiHll70rr T 1 1 1 i AOfiTTr'Jv iR,r< rTfll TC^ftr. rfvu.iyflHl jrjiixq— | r I " I [iTuJihF J .ie I I " I " I 
Q?rrt^JHVy J lW , 5pirK7yrJ,' 3 0«S^Sfl?-'A , milJiS(IjlJriPJ i-ri^nAyTVqy7Yn^fltl?'>y.LyEir}|j? , iu7ft , NO,lW'l[lO i Rl RflV^.l'AN 1 XT SQR I WNkYSMDA }Qjk T t OTk1 H RfWlNfTYll Lir Sw 
jAtMTtj , ihrrV^HnfW-FaT7r.rf;Ar.jT-C-Rbv7 ly7XN«VXlr7DrufX-4 ?TCAcrill70rr ■» Irl i AjfX>7W4H iftm nrtl TC^f>[ rtVu.iyflMl jrj|]Xq— I l'f-h-JciI J.icl \ " \ * \ 
nrtV.hr/) 3 TTttm IT RTrlHI I Vtaft- [ L-nrJtil J.i* 1 1*1*1 

1^7r-rt-<JHVy J iW , 5nrK7yrj,' 3 CiyS^Sfl? -, jrtwiLJi[(rjlJnPJ i'ri^nAejTVqyT^^tl?^.Lynnlj? , iu7WNn,iW i Sii!ri i Rt RflV^.iWNlxrSQB l07HkYSHnAlqfcTLfiTk1 R^ftflNrtYil LIT 
j At MTC| "i-NTM 7ft ntfM"HT7f".F f>AC|!T-C"Rl!liV7 1 y7XN«YX lr 7 W IJfX~4 ? TCAtM ll 7"OTT 1 I rl I AOOTrV-Jfr' 1 Rnn rrfll TO^fh rfVLI .lyfJ H I j t||]Xfj— [ ITirJril J| 



Several embedded command line scripts are in charge of adding the Trojan's executable file to the 
Windows Firewall allowed list, while at the same time disabling security zone checking in Internet 
Explorer. System persistence is obtained via a modification in the "Software\Microsoft\Windows\ 
CurrentVersion\Run" registry key and by adding a copy of the malware to the Startup folder. 
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U 000000005F49 
U 000000005F55 
U 000000005F75 
Lf 000000005FF3 
Lf 000000006009 
Lf 00000000G019 
Lf 00000000G077 
Lf 0000000060A1 
Lf 0000000060B5 
Lf 00000000G13D 
Lf 00000000G14D 
Lf 00000000G1G7 
Lf 00000000G1AF 
Lf 00000000G1DF 
Lf 00000000G22F 
Lf 00000000G2G7 
Lf 00000000G295 
Lf 00000000G2C5 
Lf 00000000G2DD 
Lf 00000000G2F7 
Lf 00000000G323 
Lf 00000000G351 
Lf 00000000G375 
Lf 00000000G39D 
Lf 00000000G3D9 
Lf □□□□□□□□641 B 
Lf 00000000643B 
Lf 00000000G475 
Lf 00000000G4G3 
Lf 00000000G4D1 
Lf 00000000G4E3 
Lf 00000000G54F 
Lf 00000000G5G1 



000000407D49 0 0.6.4 

000000407D55 0 Trojan.exe 

000000407D 75 0 5cdSf1 7f 40G6744065eb0992a09e05a2 

000000407DF3 0 False 

000000407E09 0 [endof] 

000000407E 19 0 G of tware\M icrosof t\Windows\CurrentVersion\Fi un 

000000407E77 0 6oftware\ 

000000407EA1 0 Microsoft 

000000407EB5 0 Windows 

000000407F3D 0 unknown 

000000407F4D 0 abcdefghijklmnopqrstuvwHyz 

000000407F87 0 GystemDrive 

000000407FAF 0 G E E_M AG K_N OZO NECHE CKG 

000000407FDF 0 netsh firewall add allowedprogram 11 

00000040802F 0 "ENABLE 

00000040S0S7 0 windir 

000000408095 0 \system32\ 

0000004080C5 0 Deleted 

0000004080DD 0 Gtarted 

0000004080F7 0 crnd.eKe 

000000408123 0 getvalue 

0000004081 51 0 Execute ERROR 

000000408175 0 Download ERROR 

0000004081 9D 0 E xecuted As 

0000004081 D9 0 start 

00000040821 B 0 Update ERROR 

00000040823B 0 Updating To 

000000408275 0 length 

000000408283 0 netsh firewall delete allowedprogram 1 1 

0000004082D1 0 G oft ware 

0000004082E3 0 cmd.exe /c ping 1 27.0.0.1 & del " 

00000040834F 0 yy/MM/dd 

000000408361 0 ??/??/?? 



Even though different obfuscation techniques are used in the samples we analysed, all of them have 
underlying dependencies on the .NET framework namespaces, which eventually allows deep source 
code inspection of the threat. 
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3.2.3. "Ammazon Internet Security" the "popular Antivirus" 



If you thought the era of fake antivirus programs was over, here comes a newly developed sample 
to challenge your beliefs. With the innocent title of "Ammazon Internet Security", this malicious 
application tries to mimic a security scanner, even including a quite thorough graphical user 
interface and some interactive functionality. 




Ammazon Internet Security 



Overall | Scanner | Update | Settings 



Scan 




Quick Scan 








Full Scan 






Browse 








Rootkit Scan 





Network 
Bytes Received: 
Bytes Sended: 
Network adapter: 
Speed: 



1DG5S45D2b/s 
305731 4b/s 
Intel (R) PRO/1 DDD MT Network Connec 

i:::::::::b.? 



A detailed scanning information 

Last time scanned : Full Scan-G/1 7/2D1 4 



Again, this shows the simplicity of creating a graphical user interface that will trick most of the non- 
tech-savvy population. Using nothing more than a couple of buttons and a catchy name, Syrian malware 
groups were hoping that the intended victims would fall for the trap. Analyzing the code interestingly 
revealed that it has the look-feel of a security application; but, of course, no real security features. While 
silently executing a remote administration tool when launching this "security suite", targeted victims 
were left without their "Ammazon" protection but witha RAT installed. 



From the Windows process list shown in Process Explorer, we were able to see "J. L Antivirus 4.0" 
executing in our system, and through Process Monitor we caught the creation of the "analysis" log 
file for our fake antivirus. Behind the curtains, a connection is made to a remote host, sending real 
time information on all our activities — the real cost of this free internet security suite! 

Among the many programming methods found inside the source code, we were even able to find 
a "CheckForUpdates" function; and if you look closely enough you can even see "Detection" and 
"Quarantine" assemblies included in this application. So, not only has a lot of work gone into creating 
this fake antivirus, the authors also followed good programming practices and implemented modules for 
each specific (albeit fake) functionality. Maybe at a really quick first sight this could pose as a legitimate 
tool, but a deeper inspection reveals its true malicious nature. 
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,i PrEEEntJik-nFrjinewaift 

i -O NJieivei 

K ,j Jt Vibn p '. t«.e 

2 »0 in u»t 

- -J stiit-arm 

- -J J.L Antivirus 

n IV J.L Antivirus- 4.0,uc 
jl zJ Refertfices 

ill U - 
I tJ- J.L Antivirus, 4. 0 

* Odttct 

CS Fonrtl 

+ *^ Qunrflirtinp 
@ ■{)■ l.l_Anlrviru^J._Q.My 

puhlir rlav; Forml 
Name: J.L_AiHwirus_4,_0,F-[>rmi 
Aiu-fnHjr. I.I AnCfvinaUiF, Vrnmn_].Ufl,U 



J 



^ FrjfrnI 



public vuiJ CheckFurUpdjIevj 

I 

^Uiny |Mlli = 'spplk-aLiun.SLdi LupPdlii *■ "/viiuiiliit.d-fl"; 
string requestUrlString = ' * ": 

FtpWibR*qiJ«£t requ«1 = flFtpWEbRjfcqust) WftiRflquest.CrsjtttrEqutrtUriSifiii^ 
requot.C rcdtirtials = new Neftvortt redtrrtiair* ^^^^V^^AA^ft-j, 
pequrat.KetpAliyt = false; 
sir-qijr'st.LJTjf-Rinfliy = trur; 
rrqurst.MrfhcKt _ "HITR"- 

lumq [ItpWrftHr^n^ mpmw _ (itp.W>hNr*f>cnv) rrquf-rt.Ciftttrtpnnwrj) 
I 

usinq { l A ream stream r«ponst.Gttft«5.pDn5«l>trftBimrjiJi 

L 

utiny iJF leSl*earn ilrewnZ - new FileSliedrn(pjUliv Fi"cMude.C iej(e]] 



\ 



t .Te[l buffer = nsw by»|0rt»t 
•nt count = 0; 

^ 

rrsunt = strmm Jtrntlijiiiflff-r, Q J hirffrr.LrngthJ; 

:■ 

Vdhilp (r curat !~ OJ; 
stream.LlosEQ; 

The real log file was one where all keystrokes were recorded and later sent from the computer via a TCP 
connection. Even though this type of keylogging functionality is nothing new, when we consider how 
these malicious applications are being used, and the control they give to the attackers, we can start to 
measure the importance of reporting these threats and providing protection from them. 



Evidently, the malware authors didn't care much to provide an option to close the "antivirus", 
and if you were to kill the process you would get a nice 'blue screen of death' and an unexpected 
system reboot. Surely, the fake application will load again once everything is back up, creating an 
interesting method for guaranteeing persistence. 



A. pr uhlan hai. betrri de Levied and wl riduwi. hai by en ihuL duwn Lu [jreueiiL Lid.Td.-y 
to your computer. 

a. process or thread crucial to system operation has unexpectedly exited or been 
terminated. 

if this is the first time you've seen this 5top error screen, 
restart your computer. If this screen appears aqain, follow 
thp^p ^tpp^: 

c\tPi k I ii rrialtp Mjrn Hiiy npw hnrifwHip i if siiflwdrH Is fin ifiprly install pi I. 
It this is a new installation, ask your hardware or software manufacturer 
Tur any Winduwi updates yuu niyiiL rited. 

if problems continue, disable or remove any newly Installed hardware 
or software. Disable DIGS memory options such as caching or shadowing, 
if you need to use ^afe Mode to remove or disable components p restart 
your computer, press FO to select Advanced startup options, and then 
select Safe Mode. 

Technical information: 

*** STOP : OxQOOOQOPl [OxuQuQQQC'3 .0X877713F8, 0x87771 564 , Qk82C6AQD0) 



Collecting data for crash dump ... 
initializing disk for crash dump ... 
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3.2.4. You've installed the latest antivirus solution, now let's "protect your 
network" 

Total Network Monitor (which is a legitimate application) was inside another sample we found, 
used with embedded malware for spying purposes. Offering security applications to protect against 
surveillance is one of the many techniques used by malware writing groups to get victims who are in 
desperate need for privacy to execute these dubious programs. 



An almost fully functional version of the "Total Network Monitor" utility is included. What this 
modified version does not show is the remote connection made to a host where f system information 
is dumped. The actual infection is performed when first clicking on the installer, which uses 
obfuscation to hide all malicious activity until the "legitimate" tool is completely installed. 



Ptf Vm Hftwrprt Mentor n»h HWf. 




■ ifLT.iaaii?:... hurtwcffai ... 

• Pnj ft !***.... 



fwy%-p m .| J g«A4r 134. 



As with other samples reviewed, system persistence is obtained by modifying Windows start-up registry 
keys. Using names such as "Desktop Manager" increases the likelihood for this threat to go unnoticed. 
However, the entry name "empty" or "empty.exe" should raise a red flag when auditing these keys. 

3.2.5. Whatsapp and Viberfor PC: Instant messaging, instant infection 

As with other samples, social engineering does all of the heavy work. Instant messaging applications 
for desktop operating systems have been used in the past to spread malware and it seems that Syrian 
malware authors have jumped on the bandwagon. In contrast to the "Ammazon Internet Security", these 
samples don't contain any graphical user interface or even an error message that will tell the victim not 
to worry about their security. Heading straight for system infection has proven successful for them, and 
using these popular application names gets the interest of a much larger audience. 
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Aleppo Country Now - wUI Jb^ shared a link, 

January 1$ ^ 




htTD:.'..».Hr «V.-Ci 
jT"gr j' u 



40 



http://9c.tt/ /v/D 
Like Cammtni Share 




O 0 fcufflB 



The following screenshot shows how the application name, intended functionality and even the icon 
used, all work in conjunction to create a believable story for the victim. And this is not a comprehensive 
list, by any means. Framing and social engineering techniques are playing an essential role in all Syrian 
related malware threats and the trend suggests that the complexity of them will only keep on increasing. 



0 



Ammazon Internet Security 
Smart 
1.0.0.0 



Smart Firewall 



imjm Smart 

™r l.o.O.O 



Whatsapp for pc 2014 
^•jP "Windows 
Windows 

Viber too or pcexeexe 
Screen saver 
2.60 MB 



sve host 

Windows 

Windows 



SSH VPN 

Smart 

1.0.0.0 



svchost.exe.tmp 
TMP File 

1 bytes 



3.2.6. Beware of chemical attacks 

Another attack uses social engineering tricks. The sample 38e3bc8776915dbd2e55a4d90f85a872, 
named "Kimawi.exe" and with JPG icon, is a RAT file bound to the picture "Kimawi.jpg". This 
picture is a previously leaked paper supposedly by the regime in Syria warning military units to 
prepare for chemical attacks from friendly units. 
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(^ji-u^^^^-¥>j-^) ^^^^^^^ 





Kimawi.jpg 



3.2.7. Commands and functionality 

Different remote administration tools have been spotted in the wild; most of them provide an 
extensive range of functionality to fully control infected systems. These include: 
Keylogging 

Capturing screenshots and webcam control. 
Recording live sound/video. 
Installing programs 
Uploading/downloading files 
File, process and registry key management 
Remote shell 
Executing DDoS attacks 
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Among the most popular RAT found in the samples subset is Dark Comet, a free remote 
administration tool that provides a comprehensive command set for the attackers to use in their 
malicious purposes. 



- w System Info 
System Monitor 

- Computer Info 
Trace Map 
y Fiji Functions 
Fun Manager 
™ Piano 

MessageBox 
Microsoft Reader 
Remote Chat 
_. System Functions 
H Process Manager 
J) Remote Registry 
31 Remote Shell 
'' Windows List 
Uninstall Applications 
System Privileges 
Hosts File 

- O Remote MSConfig 
i Services Startup 
gjg Registry Startup 

.. Remote Scripting 
: Html Scripting 
a Batch Scripting 
/ VB Scripting 
Ffcs Manager 
Explorer files 
Search for files 
Passwords / Datas 

Stored Passwords 
m uTorrent Downloads 

- j* MSN Functions 
a MSN Control 
L MSN Contacts 




Spy Functions 
0 WdboMin Capture 
Sound Capture 
Remote Desktop 
Kcyfoggcr 

- | Network Functions 
Active Porte 
Network Shares 
Server SocksE 

l|i LAN Computers 
±j Net G ate ,v av 
IP Scanner 
I IH DnwrinRH 
Flmwsp Prirjfi: 
Rfirfrftrh Ip/Pnrh 
' WIFT Arrfl^ [wink 
I Misc hunctiuns 
m hrrt Manager 
H Llpboard 

- * Lornpuber Hbwer 
_, Powefdff 

j Shutdown 

Resist 
JL L uyL l f 
R»L<aL SulKbL 
V CShiL 
.' Server 
B Set ver Actions 

Lock Computer 
Restart Server 
^ Close Server 
jjjj Uninjtall Server 
Upload And Execute 
^ Remote Ecfc Server 
Tel* notes 
B ^ Update Server 
■~Q From U/l 
^ From Fie 



DarkComet Control panel & Functionality 



Another RAT widely used in the Arab world is NjRAT, which includes a list of commands (see 
below) that can be sent from the controller to the infected system. 
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Command 


Option 


Function 


"PROC" 


~ 


Retrieve information about current running process 




K 


Kill a process 




KD 


Kill list of processes and delete module files 




RE 


Restart a running process 


"RSS" 




Start a CMD and direct STDIN and STDOUT to be controlled 
by C&C 


"RS" 




Send command to CMD 


"RSC" 




Terminate CMD process 


"KL" 




Retrieves keylogging file 


"INF" 




Information about system Drive, malware status 


"RN" 




Download and run a file from a specified URL 


"CAP" 




Screenshots, desktop monitoring 


"p" 




Ping 


"UN" 




Completely Uninstall Trojan 


! Terminate Trojan Process 




@ 


Restart Trojan 


"UP" 




Update Trojan 


"RG" 




Enumerate Registry Key 


! Set Key Value 




@ 


Delete Registry Key 




# 


Create SubKey 




$ 


Delete SubKey 
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3.2.8. Evolution of malware attack file numbers 

The attackers are working on full power, and the number of attacks and malicious files being 
distributed is constantly increasing as they become more organized and proficient. Below is the 
timeline distribution for malicious files distributed during 2013-2014, based on the first time they 
were distributed or seen in public (Skype, Facebook, file-sharing, email, etc.). 

40 




Q12013 Q2 2013 Q3 2013 Q4 2013 Ql 2014 Q2 2014 

Below is the timeline distribution for the collected samples based on compilation time 
25 




Q2 2012 Q3 2012 Q4 2012 Ql 2013 Q2 2013 Q3 2013 Q4 2013 Ql 2014 Q2 2014 
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The samples details and domains list used by the attackers can be found in the Appendices 1 and 2 
in the end of the document. 

3.2.9. Locations, domains and team 



The group responsible for the attacks is using common techniques shared by many of the hacking groups 
around the world. They benefit from dynamic domains that can be linked to their modem devices and 
configured with forward functionality to a public IP address assigned by the ISP. By restarting their 
modems they obtain a new address, creating a dynamic infrastructure that can be easily managed. 
Dynamic Update Clients (DUC) on their computer devices (usually the same as the RAT server) are in 
charge of having the dynamic domain provider update to the newly assigned address. 



1 



> x - ------ 











-CVa i-i.i* mm*. 










One of the videos by one of the attackers has shown one of the group members using a TP-Link 
modem model TD-W8968, commonly found in SOHO environments. 
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shadi shady 

Hyn* V\doatt Hay** thjnr** l^cywiion Abetf Q, 
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1 ^v.ir :• ijr. 



1 VH.Hr j«jn 



' .(: ■* ins** - Ht>ii 




3*4 vina 1 i-tar 




SSi 




YouTube page for one of the Attackers Showing videos about their web defacements, cyber- 
attacks and an interview with radio channel talking about their hacking achievements 



Since the end of 2013, the group has extensively relied on a class C IP subnet, 31.9.48.0/24, 
provided by TARASSUL ISP (Syrian Telecommunications Establishment) for its attacks. We suspect 
this subnet has been allocated to the group, also an indication that they are now operational from a 
single location. 

In early 2014, the group moved to an IP address in Russia (31.8.47.7), to launch multiple new 
attacks. 

Information on domain "All4Syrian.com" 

This domain is registered for the email aloshalaa@gmail.com . It served as a pro-regime website back 

in 2012 and is being used for the C&C of some of the RAT files. 

The domain was registered to okpal984@gmail.com from 2011 to 2013. 

Malware has also been seen connecting to xtr.all4syrian.com and vip.all4syrian.com. 

Attackers' geographical distribution 

The map below shows the attackers' geograhical distribution based on the geolocation of the IP 
addresses used by the C&C servers: 
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3.2.10. Victims 



The distribution of victims is confined only to Syria, but also reaches nearby countries. We have 
observed victims of the Syrian-based malware in: 
Syria 
Lebanon 
Turkey 

Kingdom of Saudi Arabia 
Egypt 
Jordan 
Palestine 

United Arab Emirates 
Israel 
Morocco 
United States 
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Victims geographical distribution map 




Map showing geographical distribution of victims with zoom on the most affected areas 
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Below are snapshots taken from videos published by the attackers, showing their RAT control panel 
and list of victims. This shows some of the victims located in different countries. 




The sample details and domain lists used by the attackers can be found in Appendices 1 and 2 in the 
end of this document. 



3.2.11. Activist Behavior 

It is worth noting that we have seen evidence of activists trying to carry out Denial of Service 
attacks on the RAT domains and servers, in an effort to overwhelm their resources and cause their 
connections to timeout. 

The post below shows a warning from activists about pro-government hacker attacks on Facebook 
pages, explaining how pro-government groups post links to Trojanized applications in order to infect 
users The activists announce in the post that they have spotted a C&C domain used by the Trojans 
and that they are attacking it to remove all hacked victims. 



TLP: Green 



For any inquire please contact intelreports@kaspersky.com 



► 30 



KAJPERJKYJ 



juJI i> oUiu» *i jil> N jjft U^l - String of Light 
Ji> L i"i J- U^-j ^Uk ^-iJi jL_Li ^U;i Jill ^ ^ ^ ^tjc ■ ■ ^™ 

r : \ T] aprs /+***\ ItfC. AI.S- 1 \TRinp \ £ vho at. . pxf 

httpe: / /ww.laeebooK.eom/etringlight? trei =te 

Host ; lihhhhki siiii &19S? T E*sptu,ory 
pnrl-. : 1177 



v> jj^ 



tfjLUJ * | ^Ji i^i ^ *ijH 1 i k e / S h ft r a 
https: / /uw . f ae&boo k . com / y l ask . ex r coder 



l< / s p a n>< / hb><flpan c lass = " u i s tr aamFooter " 



"iiLSui cill^JJ jj^j-SI bUujJI £±*+ L_ai^J Cj^j^J! c_j j^^jU" translated as "Host Attack in progress .. to 
remove all hacked victims with help of god". 



TLP: Green 



For any inquire please contact intelreports@kaspersky.com 



kaJperJkys 



3.3. Attribution 




Team and positions 



From many posts, forums and identification videos, it is clear that the group has an organized 
structure of teams working together, The names and positions outlined below were collected from 
posts on infiltrated forums or pages. They are all either nicknames or incomplete names that do not 
enable full identification of the attackers. 

The Resistant Syrian Electronic Army 

• Group 1 : Team Hacker and Assad Penetrations Unit 

• Group 2: Anonymous Syria Al Assad Unit 

• Group 3: Management of Electronic Monitoring and Central Tracking Unit 



Group 1: Team Hacker and Assad Penetrations Unit 



Name 


Position 


Shady 


Head of Assad Hacker team 


Fadi 


Responsible for raids 


Sarmad 


Responsible for operations in raids unit 


Mahmoud 


Assistant to the head of management unit 


Girl nickname Fidaeya (redemptionist) 


Member of support and publishing team 


Najma 


Member of media and publishing team 
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Group2: Anonymous Syria Al Assad Unit 



Name 


Position 


Jabbour 


Public relations manager 


Haydara 


Electronic ambushes unit 


Alaa Morched 


Electronic monitoring unit and follow up 


Ahmad 


Responsible for team unit 


Nariman 


Responsible for team unit 


Ali 


Responsible for team unit 


Zina 


Responsible for team unit 


Derkachli Kordahli 


Responsible for destruction of victim accounts 


Ahmad and Morad 


Engaged in attacks 


Group3: Management of Electronic Monitoring and Central Tracking Unit 


Name 


Position 


Kenan 


Head of team 


Okba 


Head of electronic operations 


Ahmad 


Head of eectronic raids 



Ritzel (heart of the lion) Head of electronic penetration operations 
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4. Kaspersky Lab MEN A RAT Statistics 

Remote Administration Tool (RAT) Trojans are malicious programs that allow a remote "operator" to 
control a system as if he has physical access to that system. Malicious RATs are widely used by different 
types of cybercriminals (hacktivists, script-kiddies, and scammers) and even in some state-sponsored attacks. 

Some of the most popular RATs are detected by Kaspersky products as following: 

• Trojan. MSIL.Zapchast, also known as Njrat 

• Backdoor.Win32.Bifrose, also known as Bitfrose 

• Backdoor.Win32.Fynloski, also known as DarkComet 

• Backdoor. Win3 2. Xtreme, also known as Xtremrat 



The statistics below, extracted from the Kaspersky Security Network (KSN), show the number of 
RAT infection attacks blocked by Kaspersky Lab products in the MENA (Middle East North Africa) 
region in the 2013-2014 period: 



Country/Detection 


Zapchast 


Bitfrose 


Fynloski 


XtremeRAT 


Total 


Algeria 


39113 


12071 


11643 


7106 


69900+ 


Turkey 


6326 


3325 


14002 


3586 


27200+ 


KSA 


9616 


5555 


5336 


4516 


25000+ 


Egypt 


5567 


5883 


4325 


2634 


18400+ 


Iraq 


6756 


2280 


3235 


3055 


15300+ 


UAE 


3594 


1165 


9244 


745 


14700+ 


Morocco 


4084 


2710 


3104 


1233 


11100+ 


Lebanon 


426 


297 


8073 


136 


8900+ 


Tunisia 


2844 


1888 


1495 


1004 


7200+ 


Syria 


2806 


1897 


1362 


544 


6600+ 


Qatar 


1332 


327 


2177 


233 


4000+ 


Jordan 


1259 


680 


1104 


414 


3400+ 


Oman 


1241 


446 


915 


374 


2900+ 


Bahrain 


1218 


178 


1214 


254 


2800+ 


Kuwait 


454 


407 


922 


345 


2100+ 
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Trojan detection in the MENA region 



Algeria 
Turkey 
KSA 
Egypt 
Iraq 
UAE 
Morocco 
Lebanon 
Tunisie 
Syria 
Qatar 
Jordan 
Oman 
Bahrain | 
Kuwait 

0 10000 20000 30000 40000 50000 60000 70000 80000 



Zapchast 
Bitfrose 
Fynloski 
XtremeRAT 



TLP: Green 
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Based on KSN world statistics, the MENA region has one of the highest numbers for RAT attacks, as 
shown below: 



Country 


Number of users 


Algeria 


39113 


India 


35024 


France 


10955 


Saudi Arabia 


9616 


Mexico 


6862 


Iraq 


6756 


Turkey 


6321 


Egypt 


5567 


Russian Federation 


5526 


Malaysia 


5014 



NjRAT infection Top 10s 



• Algeria has the highest number of users facing NjRat infection for the 2013-2014 period and five 
countries from MENA are in the NjRat top 10 

• Algeria has the highest number of users facing Xtreme RAT infection for the 2013-2014 period 
and four countries from MENA are in the Xtreme RAT top 10. 

• Four countries from MENA are in the Bifrose top 10 infection list. 

• Three countries from MENA are in the DarkComent top 10. 



TLP: Green 
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5. Conclusion 

Syrian malware has a strong reliance on social engineering and the active development of 
technologically complex malicious variants. Nevertheless, most of them quickly reveal their true 
nature when inspected carefully; and this is one of the main reasons for urging Syrian users to be 
extra vigilant about what they download and to implement a layered defense approach. 

Antivirus software uses either signature or heuristic-based detection to identify malware. On the 
one hand, signature detection searches for a unique sequence of bytes that is specific to a piece 
of malicious code. On the other hand, heuristic detection identifies malware based on program 
behaviour. In our research we were able to collect more than 100 malware samples used to attack 
Syrian citizens. Although most of these samples are known, cybercriminals rely on a plethora of 
obfuscation tools and techniques in order to change the malware structure so as to bypass signature 
scanning and avoid antivirus detection. This proves how critical heuristic technologies are when 
it comes to protecting against these types of attack. By being able to identify variants of known 
malware types or even new malware families, Kaspersky Lab security products detected all the 
collected samples. 

We expect these attacks to continue and evolve both in quality and quantity. We expect the 
attackers to start using more advanced techniques to distribute their malware, using malicious 
documents or drive-by download exploits. With enough funding and motivation they might also be 
able to get access to zero day vulnerabilities, which will make their attacks more effective and allow 
them to target more sensitive or high profile victims. 

Even though the attackers depend mainly on using known RATs, their rapid improvement and 
application of obfuscation techniques, GUI development for fake applications, and code modification 
via automated builders, increase the probability that it won't be too long before they start writing 
their own Trojans to take advantage of customized infection capabilities and implement better 
security evasion. 

Finally, having a comprehensive and up-to-date antivirus and firewall should be the first measure 
taken by any user that does any type of online activity, especially during these uncertain times when 
new cyber threats appear almost daily. 



TLP: Green 



For any inquire please contact intelreports@kaspersky.com 
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Appendix 1: Samples 

All samples table 



The list of sample files has been collected through the infection vectors detailed above (Skype, Facebook, 
file-sharing, email, etc.). The samples have been either generated using automated tools (RAT server, 
obfuscation tools) or developed and bound to RAT files, especially the new samples with graphical content. 



File information 


First 
reported 


Main file MD5 


Special info 


• Ammazon Internet Security.rar 








• Smart Firewall.rar 








• SSH VPN.rar 








htlTK* //www Hrnnhfw rnmA/ 

lLLLyJO,/ / VV VV VV >U1 \J \J UUA.LU111/ D/ 








fQcrni'\79nk'4m 1 r44/Amma7nn%9n 








Internet%20Security.rar 








https :/ /www. dr opbox. com/ 








s/65bnrk8x4gt2og8/Smart%20 
Firewall.rar 

https://www.dropbox.eom/s/ 
c4kwnh6q0r3ymwf/SSH%20VPN.rar 


Mar 18, 
2014 


23ae66963 9cld97 0aaee6f 9f551b82bl 
abf 93ad2 54cd019 97 9358 63c9e55 6af 8 
9 6cald7e4 5b03f 4 38 8 0 4d3b4 6d22df 8a 
182 7acclcf53e6ac9d9b638fc81f50al 


thejoe.publicvm. 
com multiple ports: 
31.8.48.7 


https://www.facebook.com/photo. 








php?fbid = 726440034062205&set = a 








.375478335825045.85979.36700297 








667258 1 &type = l&theater 








reported on facebook and https:// 








www.cyber-arabs.com 








Viber fooor 








pc%E2%80%AEexe%E2%80%AEexe.rar 








http://£e.tt/14hNebGl/v/0 


Jan 26, 
2014 


8 9 95f f 6 6bacaf 7 6dlc2 4 6 60f 30 92 583c 


.scr file 



http ://www.youtube . com/ 
watch?v=rU7B0mO9dr8 



TLP: Green 
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► 38 KAJPERJKYJ 



File information 


First 
reported 


Main file MD5 


Special info 


Whatsapp for pc 2014.exe 








http://ar.rghost.net/54001947 








other name: NJServer.exe 


April 11, 
2014 


8 9 95f f 6 6bacaf 7 6dlc2 4 6 60f 30 92 583c 


31.8.48.7, port 1199 


https://www.facebook.com/AlhyytAl 








shrytLlthwrtFyAlryf Alghrby? sk = timel 








ine&hc location =timeline&filter= 2 














hhhhhkrufnrrrsl982. 


(Jicbj ^Ikill A^j^ai.exe, chrome. 






zapto.org port 1177 


exe, shitanoxxx.exe, shitano.exe 








(shitano= the devil) 


Jan, 
2014 


1030084 6f75eb3 6ad87 0 91ed7f04b5d8 


Found this resolved 
back then to 


Source from friends at www.cyber- 






95.212.148.21 from 


arabs.com 






facebook post cached 
on google 


^jJajJI jjtfl ^Ujj.rar (= national 








security program) 






thej oe . publicvm . com 


-rar pass: 111222333 








-Internal exe pass: syrial23!@# 


Nov 9, 


382 8 971a7 7d94b6a22 60 64ede52 8e4 0 8 


extracts with excel 


hl-1-rv//crp 1-1-/1 v*31\IR7v/v/n 

llLLp./ / ftC. LL/ 1 VOINIJ / y/ V/ U 




^ 1 L L CL _l_ 1 1 v3 U. L- CL J^_> _1_ vZ; / 


cVl P>P*f AA7"il~l"l T^T*£»T7"ir\1 1 c1a7" 
MlCtL VV1L11 U1C VlUUoly 

leaked details on 


http ://www.youtube . com/ 






wanted activists 


watch?v=CwlvD9DhEcO 








^jljjai.exe (=scandals) http://www. 








gulf up . com/?X65 OmP 


Novl, 
2013 


7 96cafcl983bc4e8a5d80d3 90d3cd33a 


hacarsll.no-ip.biz 



http ://www.youtube . com/ 
watch?v=TBbhUSS-pik 



TLP: Green 



For any inquire please contact intelreports@kaspersky.com 
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File information 


First 
reported 


Main file MD5 


Special info 


Skype.exe 




ecozaoyJolUJoUeoo / oz 9d4 31dbloa id 1 1 




Syriatel.exe 




aayaloelaDUD4 jcDjoaa /obeJooJol /cUU 




c_ul£^ c^jj^li i-j**. zip (anti skype 




Ia60 61d02 7 94 9 6 9ba7d57f 8 0 8a64clc2 




virus) 

spediti 27 orangealert.zip 
master.exe 


1 to 5 
Jan 2014 


ac54c7 8f37eec21dl67bl571fc4 42e8 4 
cddaf 92 7 65fd4 65fcea63a6e4a4e4cbc 
037dlcf If 82 31f 41dd6ae4254 884 45f c 


N/A 


PDB Path C:\Users\joe\Desktop\ 




2 3e93 6f 18 9611430f f fbdd8elf 2a07 7f 




Desktop\Syriatel\Syriatel\obj\ 




bundled with 




Debug\Syriatel.pdb 




942 4b355a3 67 0fd7 7 4 9d3d2 5cbeal8cb 




gfbf.exe 
202.exe 

SRGf2.exe VmFP4.exe 
OYTu4.exe 

cccc pvp 

oooo. exe 


Jan to 

Mar 

2014 


3f 8 6102e7 0a3d2fc2f 94137 5 9 9e8d9c2 
d3f 957 9 63f5 6b8bc5e8 83 98 4 857 37 9d4 
4c8 81505fe57 7e8d9422 7bb3e3 9b9f 7 5 
e81bdf 0 9 9a5e31f 955dld582dabedld2 
ef 64 4d0b4 4 4d8 94dl0e7fa8a50 72a2e3 
0557 4 5514 67d6730800f 7d0 98bl7c98a 
c4 6f 72cb68b8d72 9fea8 952fc01elf 13 


hhhhhkrufnrrrs 1982. 
zapto.org 


stub.exe 
vv inrdr.cXc 
tr.exe 

WindowsApplicationl .exe 


July 

ZUlO 

to May 
2014 


4 0 9a0b6954d4f f 1000a6d7b7 8cde2b4 4 
012 5a3 9deb6c0fb37 853faa9a90162d3 
12d63168bac9de71bb9142aa9cf 0e533 
debb0beac6414b681d050f2fbc2f2719 
4 052 7 942 833ac6f fa2 5e4f 8 7 5ab0bdl7 


thej oe . publicvm . com 

(31.9.48.146) 

64.4.10.33:123 


oyiid.cXc 


June 
2014 


0H4h"hr]0r] 6 4 fir^He^ 1 r ^hSH?0 7 9r<^R0 4 




server.exe 
abalse=the devils 


April 
2014 


12cbe97c8 9634db754bae817e3bl7 7b3 


abalse.no-ip.biz 
(95.212.148.233) 


image, scr 


June 
2014 


7ba4 5daccca21db2e353b914 4b2 9f2e8 


31.9.48.164 port 
1122 








vip . all4syrian. com 








(31.9.48.11) 








old but active. 


Windows_8_Pro_Build_9300_ 
activation_(KMS) .exe 


2012 to 
2014 


f73c6438 63b2 0d5843da4 63 6330ff30e 


data.downloadstarter. 
net 

cmp.online-hd.tv 
(108.161.189.5) 
alosh66.linkpc.net 






8 6e6cc8 82 7bce4 837a55ad7 6133f312 5 




Cleaan.exe sent by email 


17 June 
2014 


d9 6 60 6dl2 8ee72 67 60f 8 4eb8d37 918b6 
e5cl3f 4 6b8fell9f 7 7d014 4c7 8ca9f 60 
4 5d4 4 7 9bdd7d9a3e0 6e955ad358f lb6a 


31.9.48.141 
port 5552 



TLP: Green 



For any inquire please contact intelreports@kaspersky.com 
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First 




File information 


Main file MD5 


Special info 




reported 




17 June 


31.9.48.141 port 


chrome.exe 






2014 


5552 



(scandals of Shia retrieval from 

Syria) 

asa.exe 

feras.exe 



clean.exe 

Sent by email, downloads file from 
gulfup.com file sharing site + 



e6510 7c5aeea5c3b3a5 9d4 912 905c3de 
f 4 57f 4ee2e2 532 4 6 6f 18 0b8 6fb01c91d 
C71ccf5bl354d84 7fd7faele5 668ea7 7 
3eb93fd812 9aadbcce8d3030 4 7al8c9f 
bc0 0e32 0aebb6f 7 8 0ac4e7 0a6el83 97 8 
b5c7a0 4ae3eed7fd9f 0 7 6d2a4 0 0ba6 60 
Ia4 4d7 35 9 6b0f 67 55b4ed9 6517 0 8c9e9 
b717adfd7a4 997ebae4 930817 ld0 9blf 
fa7 7151f 7 67 7el602 338e57cl3aeabl3 
b7be9a7 4 04 8fd64f 05 62a94e5fa66db2 
Cd92e50ba57 0b6cc018fbafb6ea7e0ad 
2 4db212 937 92 63 9a35 67bf 8clf 6518 85 
fb2fbca3be381bbla0b410f 66e04f 114 
d25 61f 425 9da67 84 8 94f fbla55 9c6952 



Oct 2013 dd0965b9bb4d8f a833b5 9ab4 lb4 05c0b 



Nov 
2013 
to June 
2014 



basharalassadl.no-ip. 
biz (31.9.48.147) 
port 5552 



31.9.48.84 port 999 

basharalassadl.no-ip. 

biz 



connects to the Syrian IP gets 62blb 
05cb3c7bb6727541efb79b23442 as 
Applicationl.exe from the file sharing 
site through direct link 


9 June 
2014 


da982 4 8able4a2 87ac4 6023eacd08f5b 


31.9.48.141 
port 5552 




9 June 




31.9.48.164 


image, scr 




7ba4 5daccca21db2e353b914 4b2 9f2e8 




2014 




port 1122 


MSRSAAP.EXE 


April 
and May 
2014 


ab7 5 6 61f 837 537c4efb2 0ba6e9 9f 2 3de 


tn4.mooo.com 
(31.9.48.11) port 83 







tn5.linkpc.net 






(31.9.48.11) 




ebb2acc6e6f f 5 96dea4f 034e6e941eea 








resolving in the 




ed9b62el7 54 3b94 8da81c7 5ad4db8 8ad 


f2.exe 




ed9 sample to 




Iblbdfdd0c5218354d7c97 9afbbf 4a7 6 


MSRSAAP.EXE 




188.139.228.179 




0d2f 0807233cf f 0 8 8cf 6 9f 553553c3bc 




l.exe 




(Syria mobile telecom 




4 30c8f Ilce5a7 7el54ebcd0d7ebl501d 






GPRS) 




6ec7 6cfdl0c6ee8e3d8fd81e4 4 5abb7b 








and 178.52.194.35 






(old IP) 



TLP: Green 



For any inquire please contact intelreports@kaspersky.com 
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File information 


First 
reported 


Main file MD5 


Special info 


f3.exe 




b4eb0cb0fae200d0 9e6744f 0edel0810 




f2.exe 


13 May 


Iblbdfdd0c5218354d7c97 9afbbf 4a7 6 


tn5.linkpc.net 


l.exe 


2014 


0d2f 0807233cf f 0 8 8cf 6 9f 553553c3bc 


(31.9.48.11) 


Kimawi.exe 




38e3bc87 7 6915dbd2e55a4d90f 85a872 






IVldV 

2014 




31.9.48.141 by 


yamen.exe 


2 88a4ee2 0880be85af 60blbad4dld4d7 


modifying hosts file, 






no dns resolution 


system32.exe 


Oct 2013 
to Jan 
2014 


08947709640922b2d8e3b8d0e c 5b8e84e 
21ec2 5f 6858 4 3ec03fdba2 4 837fc61e4 


lCllldllU.iJO^).llVJ 1JJ. UlZi 

31.9.48.147 




Oct 2013 


a / catUotJoaU /oacjeyzalraeaj4UcDoy 


meroassad.no-ip.biz 
31.9.48.147 


Explorer.exe 
13.exe 


Mar 
to Jun 
2014 


elf2bl5ec9f 9a2 82 0 65c931ec32a4 4b0 


31.9.48.141 
port 1960 


server exe 


Jan 2014 


c85480fle4731f98e28dc007056615a4 


31.9.48.141 
port 1990 






Cd97b9b7 4 94 4 7 02 7 4e7df 6 605 934 8d6d 








54cl7 8ba8 9d752be2ae3307fd4 0db45f 




Sent by email 


5 Jan 
2014 


9319514 6cl3ba6fd75b3c00 62e3abf05 
f387eblla4 02c9abb87 00 604 90 6c00d6 
a57f 6c0 6ba7ca57 58f Ica4 8eaa0a9cc5 
93195146cl3ba6f d75b3c00 62e3abf 05 


31.9.48.141 
port 1177 




Dec 
2013 


b8e7f3b4cbe8e58b050 9fc7fde71ddbf 


31.9.48.141 
port 1920 




Feb 
2014 


387a2 855 97d3ac51637f 6ecc07ba0d5b 


ahmdddd.no-ip.biz 
31.9.48.141 
port 5552 


E.exe 


Jan 2014 




^10 AR 7 nnrt 81 

0±.7.T"O./ JJUl L 0± 


ashdgasd.exe 


Jan to 

Mar 

2014 


3eebl67 7da8 6e97al22 05f f2 37a3df 7d 
ab5bf 97 8 0d3 65c64 8fe3 9e7 0dc317ca5 


31.9.48.7 port 1880 


E.exe 








PDB Path: C:\Users\Syrian Malware\ 


Mar 
2014 






Desktop\my rat\server\E\obj\ 


4 02d80 6flb61753bba0ea9bc7a8f7 6c2 


31.9.48.7 port 1520 



Debug\E.pdb 
YaAli.exe 



TLP: Green 



For any inquire please contact intelreports@kaspersky.com 
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File information 


First 
reported 


Main file MD5 


Special info 






217fe391d4 6cfd84 653e36bc05a32f 44 




exe 




fd4218 6f fe642dl0ea03d5cbec0cb3a0 






Jan to 






doduu.exe 




f 8f 8 68b7 50a2 4f Ia5be60 83e8 0b0 6f 30 


shadye.zapto.org 


rsna.exe 


Nov 


eel boa yjoe blozo jDdi o / o 4 o /blUUzroz 


1 TO CO OOO 1 £L£L.1 1 r 7 r 7 

l/o.bz.zzo.loo:ll// 




901 ^ 






juydghj.exe 




ea4o4zer jrabazbozDocUUry /cooed / u 








aeD4 c4 / aDico / jiiDjbyjezcrcyc / o u u 










hackerl987.zapto.org 








178.52.158.22 








port 1177 








46.213.188.88 






a91cf2847fa4 9fa5422244f 85af 0d3c5 




sent by email 






-^.^^.•4- 1 1 r 7 r 7 

port 1177 




af7 7e5 6fbf 925 9c52 42adb964d07 73a5 


rreedom.exe 


Aug 




94.252.216.187 




8 918b4 99ef2 015f 6988e80 6da0df 8f 12 




fff.exe 


2013 to 




port 1177 






4 851de5e6d72f 42 8c4e557b91 4 1 7clb4 


fii n p yp 


Jan 2014 




1 Q*3 997 1 8*3 1 71 






aJlLlii.O'i / la4JlaJ'iZ,Z,Z,4410JalUU.JLJ 




lu04mtrd.exe 






JJU1 L ±VJWT^ 














1 7ft c 9 1 c ft 99 
1 /o.jZ.Ijo.ZZ 








nnrt 1 1 77 
yUL L 11// 








178.52.203 








port 80 




Sept 




olid d d 1 7 OO . Z.d]J LU. UI g 












46.53.11.244 


bjwytowe.packed 


2013 


6c3e84a601b4 8eefc71693 6aee7c837 4 








port 1177 


blob 


1~n AAav 
lu ividy 


f 9acce2 5 9 64 4 3c8 02 54a016f 42 6blc41 






46.213.210.210 




2014 












port 1063 to 1077 








beespy.no-ip.org 






^^/l r 7/^/IQ/l/l/l r 7/H-F-F1 OQ^q91 nnQQQQ9fl/lQ1 

CG4 / a4o444 /airiijjbeziuuoojjZU4ji 


1 TO co n OQQ 

1 /o.bz.U.zoo 


sexy.pif 


r\ n t om ^ 
UCI zUlo 








jzCjb / 4ejo4eajiaerjjD / ac^Dzaj jCj 


1 7Q CO QH OQ nnrf Q1 

1/o.bz.oU.Zo port ol 








46.57.188.15 






97 8ad00b35e8ea6f 2 80cd3757 7 8884d3 




Other suspicious files 




a3493689114f75a61a8102d8 75001429 




\ ol^U.rar (imp the islamic 




94 6ab00 68e5ab64c3cl9fbl71f55b31a 




army) 


Aug 


before : 






216.6.0.28 


^uVl.exe (military locations) 


2013 to 


6 9133513 9 90 f 6el8 6cded67 4 5cf ade2f 








and others 


.^jj-h u-* Jj-^ ^-^.exe 


Jan 2014 


after : 




"syrian rat.exe" 




84 6983dc87 9f 12e9dd0500434 7 6985 6f 








Db5d6 6b921a4 4 9 9c2 3a33 9ba2 6 90 650f 








0e8eld9bd9d7ae3 6cda7 4 7d6fdd2 8 4a3 




PDB Path: C:\Users\LOVE SYRIA\ 
Desktop\Syria.pdb 


Nov 
2013 


31aeb34a57ae6b7 9ffa3d962316f3ec8 





TLP: Green 
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Appendix 2: C&C Domains 



The following is a list of domains and corresponding IP addresses used in the attacks. 



C&C Domain 


C&C IP addresses used 


Location Notes 


thejoe.publicvm.com 


^1 Q 4ft 1 1 Q 

31.9.48.146 


iDyllclll 1 clci-UllllllU.llli-clLlUllo 

Establishment, TARASSUL ISP 






31.8.48.7 is DSL for OJSC 


thpinp nnHlirvm mm 

L11C J UC • Lf LI U1L\~ V 111. ^Ulll 


31 8 48 7 


Ra^hinfnrm^vvay T^P in Rii^ia 

Udijllllll Wl 11 ID V V CLLi 1 i_> 1 111 IVLljolCl^ 

Bashkortostan, Beloretsk 




1 78 S2 1 22 




hackerl987.zapto.org 


46.213.188.88 
94.252.216.187 
178.52.158.22 
178.52.203.80 


Syriatel Mobile Telecom 
Syriatel 3G 






IP address in Lebanon (IDM Inconet 






Data Management), indicating the 


hackerl987.zapto.org 


193.227.183.171 


mobility of the group members, not 
only within Syria, but also to nearby 
countries 


alosh66.linkpc.net 


81.9.48.11 


Russian Federation VimpelCom PPPOE 
(Wireless broadband) 


abalse.no-ip.biz 


95.212.148.233 


Syrian Telecommunications 
Establishment 


aliallosh.sytes.net 


69.65.5.104 (USA) 
65.49.68.142 (USA) 


69.65.5.104 
65.49.68.142 (proxy IP) 


aliallosh.sytes.net 


46.57.213.64 


Syrian Telecommunications 
Establishment 


vip . all4syr ian .com 


31.9.48.11 


Syrian Telecommunications 
Establishment 


hhhhhkruf nrrr s 1 9 8 2 . z ap to . or g 


95.212.148.21 
95.212.148.74 


Syrian Telecommunications 
Establishment 


basharalassadl.no-ip.biz 


31.9.48.147 
31.9.48.84 


Syrian Telecommunications 
Establishment 


tn4.mooo.com 


31.9.48.11 


Syrian Telecommunications 
Establishment 


tn5.linkpc.net 


31.9.48.11 

188.139.228.179 

178.52.194.35 


Syrian Telecommunications 
Establishment 



TLP: Green 
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C&C Domain 


C&C IP addresses used 


Location Notes 


xtr.all4syrian.com 


31.9.48.11 

82.137.200.48 from 2012 


Syrian Telecommunications 
Establishment 






TP ic 0 f- T FFPR T Tni"\7"prcirl5iHp ThpHptjiI Hr» 

lr lo ClL Urriv LJ111 VC1 DlUdUC rCLlCldl U.U 


Yl~r 5i1l4cv7"ri5in pom 

A. LI tCLxlrToy 1 lClll.l-Ui.ll 


900 17 916 14 


rCHdUd, JJldZill. 

Suspected to be SSH VPN 




2014: 






178.52.108.207 






178.52.166.61 






2013: 






178.52.254.161 




tnl.linkpc.net 


31.9.48.11 

31.9.48.1 

46.213.100.97 

46.213.123.97 

94.252.217.145 

2012: 

178.52.165.92 


Syrian Telecommunications 
Establishment 


1~n9 linknr np1~ 

LIIZj • llllIYU'V^. 11C L 


46 21^ 235 105 


^vriafpl lVTnhilp TpIppotti 

i_jyiidi_ci iviuuiic 1 cicv^uiii 


fernando85.no-ip.biz 


31.9.48.147 


Syrian Telecommunications 
Establishment 


meroassad.no-ip.biz 


31.9.48.147 


Syrian Telecommunications 
Establishment 


shadye.zapto.org 


178.52.223.166 


Syrian Telecommunications 
Establishment 


ahmdddd.no-ip.biz 


31.9.48.141 


Syrian Telecommunications 
Establishment 


beespy.no-ip.org 


178.52.0.233 
178.52.30.28 
46.57.188.15 


Syrian Telecommunications 
Establishment 


nowarsytia.no-ip.org 
hacarsll.no-ip.biz 


N/A 


N/A 


mail server used to send spam, 
dictionnary attacks were also 
launched from this IP 


216.6.0.28 


216 6 0 28 is AS64S3 AS64S3 - TATA 

LjLJ1V11V1U1n1Lj/\1 1UJ.no ^/\iVmrvlLj/\J UnLj^Uo 

(registered Apr 18, 1996), Damascus, 
Syrian Arab Republic, reassigned to STE 




31.9.48.141 


Syrian Telecommunications 


Other (No Domain) 


31.8.48.7 
31.9.48.164 


Establishment 

31.8.48.7 is OJSC Bashinformsvyaz ISP 




31.9.48.84 


in Russia 



TLP: Green 



For any inquire please contact intelreports@kaspersky.com 



